Global Payments
Inc., which processes credit cards and debit cards for banks and
merchants, has been hit by a security breach that has put some
50,000 cardholders at risk, according to people with
knowledge of the situation.

Read more on the Wall
Street Journal. Global Payments has not confirmed as of the time
of this posting.

But 50,000? That’s a far cry from
possibly 10 million. Is this the same breach that was reported
earlier today by Brian Krebs or another breach?

Both Heartland Payment Systems and
First Data Corp. have denied being involved in any of the breach
reports from today.

After being named by the Wall Street
Journal earlier today, Global Payments Inc. has issued a press
release about their breach:

Global Payments
Inc, a leader in payment processing services, announced it identified
and self-reported unauthorized access into a portion of its
processing system. In early March 2012, the company determined card
data may have been accessed. It immediately engaged external experts
in information technology forensics and contacted federal law
enforcement. The company promptly notified appropriate industry
parties to allow them to minimize potential cardholder impact. The
company is continuing its investigation into this matter.

“It is
reassuring that our security processes detected an intrusion. It is
crucial to understand that this incident does not involve our
merchants or their relationships with their customers,” said
Chairman and CEO Paul R. Garcia.

"A nice
summary at TechDirt brings word that Bruce
Schneier has been debating Kip Hawley, former boss of the TSA,
over at the Economist. Bruce has been providing facts, analysis and
some amazing statistics throughout the debate, and it makes for very
educational reading. Because of the format, the former TSA
administrator is compelled to respond. Quoting: 'He wants us to
trust that a 400-ml bottle of liquid is dangerous, but transferring
it to four 100-ml bottles magically makes it safe. He wants us to
trust that the butter knives given to first-class passengers are
nevertheless too dangerous to be taken through a security checkpoint.
He wants us to trust that there's a reason to confiscate a cupcake
(Las
Vegas), a 3-inch plastic toy gun (London
Gatwick), a purse with an embroidered gun on it (Norfolk,
VA), a T-shirt with a picture of a gun on it (London
Heathrow) and a plastic lightsaber that's really a flashlight
with a long cone on top (Dallas/Fort
Worth).""

Huang Hoang, the
actress who sued IMDb for revealing her real age, got a small boost
Friday in Washington federal court. The judge overseeing the case
has decided that Hoang’s allegations that IMDb breached
contract and violated laws on consumer protection are
plausible enough to continue. But the judge also offered some relief
to the Amazon.com subsidiary by dismissing two of Hoang’s core
claims and striking her wish to collect $1 million in punitive
damages.

Read more on Hollywood
Reporter. The claim about what the privacy policy meant in terms
of use of her data is an issue privacy advocates will want to watch –
if the case doesn’t settle before trial.

If you are an honest user caught up in
this RIAA mandated lawsuit(?) do you have any rights? Or is this one
of those extreme cases of “caveat emptor”
that chills commerce – “Don't do anything that the RIAA or MPAA
finds objectionable...”

An Ohio man is asking a federal judge
to preserve data of the 66.6 million users of Megaupload, the
file-sharing service that was shuttered in January following federal
criminal copyright-infringement indictments that targeted its
operators.

Represented by civil rights group
Electronic Frontier Foundation, Kyle Goodwin wants U.S. District
Judge Liam O’Grady, the judge overseeing the Megaupload
prosecution, to order the preservation of the 25 petabytes of data
the authorities seized in January. Goodwin, the operator of
OhioSportsNet, which films and
streams high school sports, wants to access his copyrighted footage
that he stored on the file-sharing network. His hard drive crashed
days before the government shuttered the site Jan. 19.

“What is clear is that Mr. Goodwin,
the rightful owner of the data he stored on Megaupload, has been
denied access to his property. It is also clear that this court has
equitable power to fashion a remedy to make Mr. Goodwin — an
innocent third party — whole again,” the group wrote
the judge in a Friday legal filing.

(Related) The Big Chill goes on...
Apparently what the did to MegaUpload wasn't sufficient? Or the MPAA
wasn't able to use nukes?

Only weeks after protests
over two digital copyright bills demonstrated the political
muscle of Internet users, the White House is publicly endorsing new
copyright legislation that also would target suspected pirate Web
sites.

Google’s search breakthrough ensured
that the web would not be a victim of its own success.

Now, the social web faces a similar
problem. It is enormous, and growing, and central to our lives.
There are many successful companies in the social space, just as
there were search leaders before Google emerged. Yet so far there is
no Google for the social graph.

… It won’t be easy. I’d like
to offer up four challenges that I find important, though undoubtedly
there are more:

2. A person is
the sum of all of their profiles: Identity
across social networks must be solved. Linking Facebook, Twitter,
Google Reader, LinkedIn, etc. would be invaluable to researchers.
Actions across social networks are similar (liking,
following/friending, sharing, etc.), so to have a complete list of
actions from a single individual across networks would vastly
increase the amount of data available from looking at a single social
network.

4. Let data be
free: Many types of social data are not public or
are difficult to get. All Twitter data is only accessible
to the select few members of the firehose club. Facebook data is
available for only a select few users. Search was made possible by
web crawlers and a similar accessibility of data must be in place for
the social graph. Of course, accessibility of data brings up lots of
privacy concerns.

Perspective. This is good, because we
wouldn't want just anyone to know about [Deleted by
the Copyright/Trademark Nazis]
or the cure for [Deleted by the
Copyright/Trademark Nazis]
or how to make [Deleted by the
Copyright/Trademark Nazis]

The above chart shows a distribution of
2500 newly printed fiction books selected at random from Amazon's
warehouses. What's so crazy is that there are just as many from the
last decade as from the decade between 1910 and 1920. Why? Because
beginning in 1923, most titles are copyrighted. Books from before
1923 tend to be in the public domain, and the result is that Amazon
carries them -- lots of them. The chart comes from University of
Illinois law professor Paul Heald. In a talk at the University of
Canterbury in March 16, he explained how he made it and what it
shows.

… Heald says that the numbers would
be even more dramatic if you controlled for the number of books
published in those years, because there are likely far more books
published in 1950 than in 1850.

You can watch Heald's whole talk, "Do
Bad Things Happen When Works Fall Into the Public Domain?"
below.

"American high school students
are terrible writers, and one education reform group thinks it has an
answer: robots. Or, more accurately, robo-readers — computers
programmed to scan student essays and spit out a grade. The
theory is that teachers would assign more writing if they didn't have
to read it. [Amen!
Bob] And the more writing students do, the
better at it they'll become — even if the primary audience for
their prose is a string of algorithms. ... Take, for instance, the
Intelligent Essay Assessor, a web-based tool marketed by Pearson
Education, Inc. Within seconds, it can analyze an essay for
spelling, grammar, organization and other traits and prompt students
to make revisions. The program scans for key words and analyzes
semantic patterns, and Pearson boasts it 'can "understand"
the meaning of text much the same as a human reader.' Jehn, the
Harvard writing instructor, isn't so sure. He argues that the best
way to teach good writing is to help students wrestle with ideas;
misspellings and syntax errors in early drafts
should be ignored in favor of talking through the thesis."

Friday, March 30, 2012

VISA and
MasterCard are alerting banks across the country about a recent major
breach at a U.S.-based credit card processor. Sources in the
financial sector are calling the breach “massive,”
and say it may involve more than 10 million
compromised card numbers. [If so, the record is safe Bob]

Read more on KrebsonSecurity.
As always, Brian is all over this story and has gotten some leads
from sources and interviews:

Sources at two
different major financial institutions said the transactions that
most of the cards they analyzed seem to have in
common are that they were used in parking garages in and around the
New York City area.

Ever since Heartland’s breach,
numerous breach reports in the media have (erroneously) mentioned a
payment processor. This time, it sounds like we really do have
another processor breach. Brian reports that “PSCU —
a provider of online financial services to credit unions — said it
alerted 482 credit unions that appear to have had cards impacted by
the breach.”

ELGA
, a credit union in Michigan, was one of the credit unions that
received notification, although it’s not clear whether they were
notified by PSCU or by VISA or MasterCard; 450 of their members were
reportedly affected.

The missing information will eventually
come out. Why are they holding it back? It makes them look either
ignorant or secretive – or both.

In a puzzling
breach of security, computer storage devices containing
identification information of 800,000 Californians using the state’s
child support services have gone missing.

The Department of
Child Support Service reported on Thursday the data devices were lost
March 12 en route to California from the Colorado
facilities of IBM, one of the contractors in charge of the storage
devices.

As the 2012 presidential election revs
up, 33 states now permit some form of Internet ballot casting.
However, a senior cybersecurity adviser at the U.S. Department of
Homeland Security warned today that online voting
programs make the country's election process vulnerable to
cyberattacks. [Actually, no. It's crappy security that makes it
vulnerable. Bob]

… "Because we vote by secret
ballot there is no way to confirm that a digital ballot cast over the
Internet is received as it was sent, making detection difficult if
not impossible." [Horsefeathers! Bob]

...but how do you get your name off the
“Harass this uppity second class citizen” list?

Judge:
Bradley Manning supporter can sue government over border search

David Maurice House, an MIT researcher,
was granted the right to pursue a case against the government on
Wednesday after a federal judge denied the government’s motion to
dismiss.

The American Civil Liberties Union
filed
a federal lawsuit in May 2011 on House’s behalf, charging that
he had been targeted solely for his lawful association with the
Bradley Manning Support Network.

… “Despite the government’s
broad assertions that it can take and search any laptop, diary or
smartphone without any reasonable suspicion, the court said the
government cannot use that power to target political speech.”

US customs agents met and briefly
detained House as he deplaned at Chicago’s O’Hare Airport in
November 2010. The agents searched House’s bags, then took him to
a detention room and questioned him for 90 minutes
about his relationship to Manning (the former Army intelligence
analyst currently facing a court martial for leaking classified
documents to the secret-spilling site WikiLeaks). [Why would TSA even
know about this? Is there that much background on every traveler?
Bob] The agents confiscated a laptop computer, a thumb
drive, and a digital camera from House and reportedly demanded, but
did not receive, his encryption keys.

DHS held onto House’s equipment for
49 days and returned it only after the ACLU sent a strongly worded
letter.

I am pleased to point readers to Neil’s
fuller article on this topic, which will be published in the
Georgetown Law Journal, “The Perils of Social Reading.”
Here’s the abstract:

Our
law currently treats records of our reading habits under two
contradictory rules – rules mandating confidentiality, and rules
permitting disclosure. Recently, the rise of the social
Internet has created more of these records and more pressures on when
and how they should be shared. Companies like Facebook, in
collaboration with many newspapers, have ushered in the era of
“social reading,” in which what we read may be “frictionlessly
shared” with our friends and acquaintances. Disclosure and sharing
are on the rise.

This Article
sounds a cautionary note about social reading and frictionless
sharing. Social reading can be good, but the ways in which we set up
the defaults for sharing matter a great deal. Our reader records
implicate our intellectual privacy – the protection of reading from
surveillance and interference so that we can read freely, widely, and
without inhibition. I argue that the choices we make about how to
share have real consequences, and that “frictionless sharing” is
not frictionless, nor it is really sharing. Although sharing is
important, the sharing of our reading habits is special. Such
sharing should be conscious and only occur after meaningful notice.

The stakes in this
debate are immense. We are quite literally rewiring the public and
private spheres for a new century. Choices we make now about the
boundaries between our individual and social selves, between
consumers and companies, between citizens and the state, will have
unforeseeable ramifications for the societies our children and
grandchildren inherit. We should make choices that preserve our
intellectual privacy, not destroy it. This Article suggests
practical ways to do just that.

The
Philosopher Whose Fingerprints Are All Over the FTC's New Approach to
Privacy

… The standard explanation for
privacy freakouts is that people get upset because they've "lost
control" of data about themselves or there is simply too much
data available. Nissenbaum argues that the real problem "is the
inappropriateness of the flow of
information due to the mediation of technology." In her scheme,
there are senders and receivers of messages, who communicate
different types of information with very specific expectations of how
it will be used. Privacy violations occur
not when too much data accumulates or people can't direct it, but
when one of the receivers or transmission principles
change. The key academic term is "context-relative
informational norms." Bust a norm and people
get upset.

The Google Feature-du-jour. Also see
the “Play” link on the Google Home page.

… Google pays publishers for
hosting the surveys (the equivalent of a $15 CPM); marketers, in
turn, pay Google for the demographic-targetable
data the publisher-hosted surveys provide; and users, in turn --
provided they don't find the pop-up microsurveys too annoying to
complete -- get an alternate way of accessing publisher content that
they might otherwise be made to pay for.

I capture lots of videos for my
classes. I'm always looking at new tools...

Web Video Fetcher is an online tool
that allows users to convert any audio or video URL from YouTube,
Myspace, Google, Facebook or any other site
into much more common formats such as Mp3, Mp4, FLV in a few simple
clicks.

The very first thing you should do is
find the video/audio which you want to convert and save in your
computer. Once you find it, just copy the link and paste it into the
text-box provided and click the “Search” icon. The
website will automatically figure out the format of the
audio/video and provide you with the options to download the
video/audio in the common file formats.

Kelli Stopczynski reports on a case in
Michigan where a teacher’s aide refused to allow her employer to
view her Facebook postings and was suspended. In this case, the
district had been alerted by a parent to a photo that the aide had
uploaded to her account.

Lewis Cass ISD
superintendent Robert Colby called her into his office.

“He asked me
three times if he could view my Facebook and I repeatedly said I was
not OK with that,” Hester told WSBT.

In a letter to
Hester from the Lewis Cass ISD Special Education Director, he wrote
“…in the absence of you voluntarily
granting Lewis Cass ISD administration access to you[r] Facebook
page, we will assume the worst and act accordingly.”

Hester keeps that
letter in her stack of documents related to the case. She provided
the letter to WSBT.

Hester said Colby
put her on paid administrative leave and eventually suspended her.

There are some who might argue that the
aide used poor judgement in uploading a silly or unprofessional photo
to her account. But it was her personal account and
on her own time and it was not publicly available. Could
her employer rightfully claim that such conduct or images hurts the
image of the district? Perhaps. In this case, a parent was the one
who reported the matter – a parent who had friended the aide on
Facebook.

But where is the line here? I don’t
like an employer assuming the worst or that an employee who asserts
their right to privacy has “something to hide.” But laws do not
protect employees from this type of demand in many states.

The lines have been blurred between our
professional lives and our online, but still personal, lives.
Employers can certainly see what’s publicly
available. But should they be allowed to demand access to what an
employee takes pains to protect as private? And should
such material be used to terminate their employment?

Back in the day, if an employee
conducted himself or herself somewhat inappropriately (liking being a
drunken spectacle at a party), there might be talk and gossip at work
the next week, but their job wasn’t generally in jeopardy. Even if
someone were to come in with a photo of drunken behavior, it would
not lead to job termination. So why is a photo on a private page now
the basis for job termination?

This is not a brave new world. It’s
a confused new world that shrinks our private lives each day unless
we draw a line in the cybersand and say, “This is mine, and no, you
can’t have it.”

James Vicini reports on a somewhat
disappointing but unsurprising verdict by the Supreme Court:

The U.S. Supreme
Court ruled on Wednesday that a pilot from San Francisco, whose
status as HIV-infected was disclosed by one federal agency to another
one in violation of a privacy law, cannot sue for damages for mental
and emotional distress.

By a 5-3 vote with
conservative justices holding sway, the court overturned a ruling by
a U.S. appeals court in California and held that violations of a 1974
federal privacy law allowed only for actual damages such as
out-of-pocket financial losses.

Read more on Reuters.
Barbara Leonard of Courthouse
News provides additional background on the case. You can find
the Supreme Court’s decision here
(pdf), but the heart of it (for me) concerns whether the Privacy Act
limited damages to actual damages as in incurred economic loss or
includes emotional harm or distress. The court held that the law
restricted damages to actual damages, noting:

We do not claim
that the contrary reading of the statute accepted by the Court of
Appeals and advanced now by respondent is inconceivable. But because
the Privacy Act waives the Federal Government’s sovereign immunity,
the question we must answer is whether it is plausible to read the
statute, as the Government does, to authorize only damages for
economic loss. Nordic Village, 503 U. S., at 34, 37. When
waiving the Government’s sovereign immunity, Congress must speak
unequivocally. Lane, 518 U. S., at 192. Here, we conclude that it
did not. As a consequence, we adopt an interpretation of “actual
damages” limited to proven pecuniary or economic harm. To do
otherwise would expand the scope of Congress’ sovereign immunity
waiver beyond what the statutory text clearly requires.

Google has just launched a new service
called Account
Activity, allowing users to produce periodical reports showing
their usage patterns of Google products. Google’s activity reports
mean you can now get a report that shows you how much
Gmail you’ve received over the past month, how much you’ve sent,
what were your top Google searches, where you were located during the
month, and more.

"The federal government’s
role in protecting U.S. citizens and critical infrastructure from
cyber attacks has been the subject of recent congressional interest.
Critical infrastructure commonly refers to those entities that are
so vital that their incapacitation or destruction would have a
debilitating impact on national security, economic security, or the
public health and safety. This report discusses selected legal
issues that frequently arise in the context of recent legislation to
address vulnerabilities of critical infrastructure to cyber threats,
efforts to protect government networks from cyber threats, and
proposals to facilitate and encourage sharing of cyber threat
information amongst private sector and government entities. This
report also discusses the degree to which federal law may preempt
state law."

Hoover-esque? Why would any “law
enforcement” agency not accurately train it's personnel in the law?
Because it is easier to enforce the law without all those silly
legal restrictions!

The FBI once taught its agents that
they can “bend or suspend the law” as they wiretap suspects. But
the bureau says it didn’t really mean it, and has now removed the
document from its counterterrorism training curriculum, calling it an
“imprecise” instruction.

(Related) This suggests why the FBI
feels they need to “cheat” a bit to “catch up” with crooks
and terrorists.

"Shawn Henry, who is preparing
to leave the FBI after more than two decades with the bureau, said in
an interview that the
current public and private approach to fending off hackers is
'unsustainable.' 'I don't see how we ever come out of this
without changes in technology or changes in behavior, because with
the status quo, it's an unsustainable model. Unsustainable in that
you never get ahead, never become secure, never have a reasonable
expectation of privacy or security,' Mr. Henry said."

Google e-Discovery. No doubt they're
good at it by now. Should be of interest to those who have switched
to Gmail...

Today, Google is debuting
a new archiving, records management and e-discovery solution for
Google Apps for businesses called Vault.

Google Apps Vault, which is priced at
$5 per-user, per-month, allows businesses to reduce risks and costs
associated with litigation, investigation, and compliance audits by
providing an in-depth archiving system in the cloud. So all emails,
documents and chat messages from Gmail can be accessed in one place.
Businesses can define what needs to be retained for Gmail and
on-the-record chat messages based on content, labels, and metadata.

As Google says, governance policies are
applied directly to the native data store, eliminating the need to
duplicate data in a separate archive and helping to reduce the risks
associated with data movement and from spoliation.

Search is also a part of Vault, and via
the new service users can search across large amounts of email in an
archive, and define and manage collections of message search results
and collaborate with others to manage them. Email can also be
exported for further review and processing.

"Mayor Ude reported today that
the
city of Munich has saved €4 million so far (Google translation
of German
original) by switching its IT infrastructure from Windows NT and
Office to Linux and
OpenOffice. At the same time, the number of trouble tickets
decreased from 70 to 46 per month. [If
I recall, they actually trained people to use the new software Bob]
Savings were €2.8M from software licensing and €1.2M from
hardware because demands are lower for Linux compared to Windows 7."

This is a joke, right? Something to
make the “politically correct” extremists look ridiculous? They
sure made the article look real...

"New York educators banned
references to 'dinosaurs,' 'birthdays,' 'Halloween' and dozens of
other topics on city-issued tests. That is because they fear
such topics 'could evoke unpleasant emotions in the students.'
Dinosaurs, for example, call to mind evolution, which might upset
fundamentalists; birthdays are not celebrated by Jehovah's Witnesses;
and Halloween suggests paganism. Homes with swimming pools and home
computers are also unmentionables — because of economic
sensitivities. The city asks test companies
to exclude 'creatures from outer space' as well — for unspecified
reasons."

"Another example of Star Trek
technology becoming a reality. In light of the recent Tricorder
X-Prize announcement, Dr.
Peter Jansen has openly released the designs for a series of
Science Tricorders that he developed while a graduate student at
McMaster University. The Science Tricorders are capable of sensing a
variety of atmospheric, electromagnetic, and spatial phenomena.
Where the Science
Tricorder Mark 1 is a relatively
easy-to-build proof of concept, the Science
Tricorder Mark 2 runs Linux and resembles a cross between a
Nintendo DS and scientific instrument with dual OLED touch displays.
An exciting video shows them in action, and describes the project
goal of creating general scientific tools for learning about and
visualizing the world, as well as their importance for science
education by helping kids understand abstract concepts like magnetism
or polarization visually. The hardware
schematics, board layouts, and firmware source are freely available
on the Tricorder project
website under various open licenses."

I
use my RSS reader every morning to produce my Blog. There are MANY
free RSS readers. Find one that is intuitive...

I still remember the first time I saw
Google Reader in action. I was instantly in love it! Without a
doubt RSS feeds and Google Reader are the most important tool that I
use on a daily basis. Sure I could subscribe via email to all 300+
of my favorite websites, but who wants more email? And I certainly
don't want to open 300+ sites individually. Subscribing to RSS feeds
in Google Reader lets me keep up with my favorite sites. So while
tech blogs like to make claims that Twitter, Google+, and other
platforms will make RSS feeds redundant, I still love my RSS feeds.

Wednesday, March 28, 2012

Howard University
Hospital this week sent notification to patients of a potential
disclosure of their protected health information in late January. A
former contractor’s personal laptop containing patient information
was stolen, according to a statement by the hospital.

The laptop, taken
from the former contractor’s vehicle, was password protected.

[...]

The hospital has
sent letters to 34,503 patients affected by the breach. The records
contained the Social Security numbers for a number of those patients.

Read more on WUSA9.com,
although you can probably write the story by now
yourself. [...while napping Bob]

A link on the hospital’s homepage
says:

Howard University
Hospital this week sent notification to patients of a potential
disclosure of their protected health information that occurred in
late January when a former
contractor’s personal laptop containing patient information was
stolen.

Physicians who own mobile devices should make the following
assumption: If they lose a smartphone or tablet,
someone is going to try to see what’s on it.

With an estimated
80% of physicians using a mobile device on the job, a lot of patient
data is vulnerable to breaches unless steps are taken to protect it.
Data encryption is the one thing that protects
physicians from having to report a breach if data go missing.
But ensuring data encryption on a mobile device can be a little
tricky. At the least, there are other ways to help ensure that data
aren’t accessed if you happen to leave your phone behind in a taxi
or at a restaurant.

The failure of a
Des Moines restaurant chain to fully comply with a federal
anti-identity theft law will soon lead to free soft
drinks for some of its former patrons, assuming a federal
judge approves.

Lawyers in a
complicated class-action lawsuit have submitted a proposed settlement
that will, if it is approved by U.S. District Judge James Gritzner,
eventually lead to $170,000 for the plaintiffs’
attorneys and coupons for people who can prove they used a
credit card or debit card during a three-year period at Palmer’s
Deli & Market.

The lawsuit, filed
initially on June 1, 2011, accused Palmer’s of willfully violating
a 2003 federal law that requires the truncation of credit card
numbers and expiration dates on printed store receipts.

This is not the first
time we’ve seen a settlement like this.Olive
Garden had a similar one in May 2009, but the members of that
class got coupons for $9.00 worth of appetizers. And members of a
class action lawsuit against Primanti
Brothers got coupons for free sandwiches in October 2010.
Although it doesn’t seem like members of this class benefit
significantly in the usual sense of “significantly,” the
settlement may say save Palmer’s from being bankrupt should
they have to pay statutory damages. The firm’s
insurance company is also suing them, claiming they should not be
liable for any costs or expenses from this incident.

The RockYou breach, disclosed in
December 2009, stands as the 10th largest breach
on DataLossDB’s counter after 32 million login credentials were
compromised. A civil suit, Claridge v. RockYou, is still
unsettled, although a proposed settlement was submitted to the court
in November 2011. Previous coverage on this breach can be found
here.
Now the FTC has issued a statement
on a proposed settlement of its charges against the firm:

The operator of a
social game site has agreed to settle charges that, while touting its
security features, it failed to protect the privacy of its users,
allowing hackers to access the personal information of 32
million users. The Federal Trade Commission also alleged
in its complaint against RockYou that RockYou
violated the Children’s Online Privacy Protection Act Rule (COPPA
Rule) in collecting information from approximately 179,000
children. The proposed
FTC settlement order with the company bars future deceptive
claims by the company regarding privacy and data security, requires
it to implement and maintain a data security program, bars future
violations of the COPPA Rule, and requires it to pay a $250,000 civil
penalty to settle the COPPA charges.

According to the
FTC complaint, RockYou operated a website that allowed consumers to
play games and use other applications. Many consumers used the site
to assemble slide shows from their photos, using a caption capability
and music supplied by the site. To save their slide shows, consumers
had to enter their email address and email password.
[email is an identifier, what purpose does sharing the password
serve? Bob]

The FTC’s COPPA
Rule requires that website operators notify parents and obtain their
consent before they collect, use, or disclose personal information
from children under 13. The Rule also requires that website
operators post a privacy policy that is clear, understandable, and
complete.

The FTC alleged
that RockYou knowingly collected approximately 179,000 children’s
email addresses and associated passwords during registration –
without their parents’ consent – and enabled children to create
personal profiles and post personal information on slide shows that
could be shared online. The company asked for kids’ date of birth,
and so accepted registrations from kids under 13. In addition, the
company’s security failures put users’ including children’s
personal information at risk, according to the FTC. The FTC charged
that RockYou violated the COPPA Rule by:

not spelling out its collection,
use and disclosure policy for children’s information;

not maintaining reasonable
procedures, such as encryption to protect the confidentiality,
security, and integrity of personal information collected from
children.

The proposed
settlement order bars deceptive claims regarding privacy and data
security and requires RockYou to implement a data security program
and submit to security audits by independent
third-party auditors every other year for 20 years. [Ask any
accounting firm to do this – it will probably save you more than
$250,000 Bob] It also requires RockYou to delete
information collected from children under age 13 and bars violations
of COPPA. Finally, RockYou will pay a $250,000 civil penalty for its
alleged COPPA violations.

The FTC has a new
publication, Living
Life Online, to help tweens and teens navigate the internet
safely.

The Commission
vote to authorize the staff to refer the complaint to the Department
of Justice and to approve the proposed consent decree was 4-0. The
DOJ filed the complaint and proposed consent decree on behalf of the
Commission in U.S. District Court for the Northern District of
California on March 26, 2012. The proposed consent decree is subject
to court approval.

So… if it wasn’t for the children’s
data, would the FTC have gone after RockYou or fined them? The
passwords were stored plain-text, but the only reference to
encryption in this release applies to children’s data, not the
adults’.

Update: I see that in
his coverage of the proposed order, Jaikumar
Vijayan reports that the civil suit against RockYou settled in
December. If he’s referring to Claridge v. RockYou, the
motion for settlement is due to be heard tomorrow (March 28).

Now Perry Mason doesn't need to ask,
“Where were you on the night of the crime?”

If you're nervous about giving your
teen driver the keys to the family car, you may be able to buy peace
of mind from OnStar. The telematics company now offers the ability
to tell you where your vehicles, and possibly the drivers, are at any
time.

Family Link is an optional add-on
service to the operator assisted emergency response and navigation
services offered by OnStar. Subscribers can log on to OnStar's
Family Link Web site to view a map with the vehicle's location at any
time. They can also schedule email or text alerts to update them
periodically on the location of the automobile on specific days or
times.

If they had trained their officers in a
misinterpretation of the
law, I can't see how they could be disciplined for following their
training. So it appears they had no training in that area.

"The City of Boston has reached
a $170,000 settlement with Simon Glik, who was arrested by Boston
Police in 2007 after using his mobile phone to record police
arresting another man on Boston Common. Police
claimed that Glik had violated state wiretapping laws,
but later dropped the charges and admitted
the officers were wrong to arrest him. Glik had brought a
lawsuit against the city (aided by the ACLU) because he claimed his
civil rights were violated. According to today's ACLU statement: 'As
part of the settlement, Glik agreed to withdraw his appeal to the
Community Ombudsman Oversight Panel. He had complained about the
Internal Affairs Division's investigation of his complaint and the
way they treated him. IAD officers made fun of Glik for filing the
complaint, telling him his only remedy was filing a civil lawsuit.
After the City spent years in court defending
the officers' arrest of Glik as constitutional and reasonable, IAD
reversed course after the
First Circuit ruling and disciplined two of the officers for
using "unreasonable judgment" in arresting Glik.'"

The downside of building your own
country to avoid the laws of other countries is...

"Ars has a great article about
the history of Sealand, a data haven — a place where you can host
almost anything, as long as it follows the very bare laws of Sealand
Government. Quoting: 'HavenCo's failure — and make no mistake
about it, HavenCo did fail — shows
how hard it is to get out from under government's thumb. HavenCo
built it, but no one came. For a host of reasons, ranging from its
physical vulnerability to the fact that The Man doesn't care where
you store your data if he can get his hands on you, Sealand was never
able to offer the kind of immunity from law that digital rebels
sought. And, paradoxically, by seeking to avoid government, HavenCo
made
itself exquisitely vulnerable (PDF) to one government in
particular: Sealand's.'"

This is as old as the “razors and
blades” model – probably older (Og give you fire. You give Og
mastodon steaks!)

… When Apple launched its digital
game store in 2008, most games cost a few dollars. The success of
99-cent apps drove prices down. Then in 2009, Apple changed its
store to allow free downloads to feature in-app purchases, for the
first time making it possible to give away a game and
make money later.

Now free is the most lucrative price
point. From kids’ games like Smurfs’ Village to
puzzles like Bejeweled Blitz, 15 of the first 20 games
on Apple’s Top-Grossing Apps list are free. The analyst group
Distimo estimates that half
of the revenue for the 200 top-grossing apps comes from the freemium
model. Everyone from indie game developers to established
companies is jumping on the freemium bandwagon.

… The released Temple Run on
the App Store in August for 99 cents.

It did well, at first. “It got a ton
of critical acclaim, it got featured [on the App Store menu], people
loved it,” says Luckyanova. Temple Run was one of the
top 50 paid apps. The couple sold about 40,000
copies at 99 cents a pop. But then it started sliding
down the list. With little to lose, Shepherd and Luckyanova abruptly
changed the price to zero, hoping to make
money by getting players to trade real-life cash for virtual
currency.

Revenue immediately
increased. People told their friends — hey, play this
game. It’s free. You can grab it right now. By Christmas, it was
the top-grossing app on the store. “It snowballed into a viral
effect,” says Shepherd. The game is now at 46
million free downloads — and Shepherd and Luckyanova
estimate that 1 to 3 percent of players wind up
spending money on the game.

"Micro Systemation, a
Stockholm-based company, has released a video showing that its
software can easily
bypass the iPhone's four-digit passcode in a matter of seconds.
It can also crack Android phones, and is designed to dump the
devices' data to a PC for easy browsing, including messages, GPS
locations, web history, calls, contacts and keystroke logs. The
company's director of marketing says it uses an undisclosed
vulnerability in the devices it targets to run a program on the phone
that brute-forces its passcode. He says the company's business is
'booming' and that it's sold the devices to law enforcement and
military customers in 60 countries. He says Micro Systemation's
biggest customer is the U.S. military."

Since
China is in flux (to the point where civil war is possible?) are
stories like these just a way for the government to admit publicly
what we kind of knew anyway but no one wanted to say for fear of
“offending” the Chinese government?

Harry
Potter And The Great Sideloading Gamble. A ‘Dark Day’ For
Publishers?

A milestone today in the world of
publishing, as Pottermore.com,
the site dedicated to all digital things Harry Potter, opened for
business as the exclusive distributor of Harry Potter e-books and
audiobooks. This marks the first time that a major author has
ventured forth to offer e-books directly to the public, bypassing
publishers’ sites and online bookstores in the process, to allow
readers to buy the content direct and then sideload it to their
reading platform of choice.

You may have noticed that we've posted
quite a few original videos on Slashdot in the past few months.
Rather than being the work of a few rogue editors with newly-acquired
Christmas cameras, this was part of the groundwork for a new site
we're launching today. SlashdotTV,
found at http://tv.slashdot.org,
will let you easily find and watch all of our videos in one
convenient location. In addition to Slashdot content, you also can
watch videos from our sister sites, SourceForge
and ThinkGeek. The site is
brand new, and we're interested in hearing your feedback -- what you
think about it, and what kind of videos you'd like to see.
Currently, you can embed our videos on your own site
or show them to your friends with our share feature.
Commenting is coming soon. Check back often for new videos, and keep
watching!

Tuesday, March 27, 2012

You
can do everything right, but sill incur penalties – lessons learned
from BCBS of Tennessee

… BCBSTN had many security measures
in place. The hard drives were stored in a closet that was secured
by biometric and keycard scan security with a magnetic lock and an
additional door with a keyed lock. The office space was in a
building that had security. Nevertheless, HHS alleged that BCBSTN
had failed to perform a security risk evaluation and had failed to
implement appropriate physical safeguards because it did not have
adequate facility access safeguards as required by the HIPAA Security
Rule. Commenting on the settlement, the Office of Civil Rights at
HHS, emphasized the need for providers who are moving locations to
update their risk assessment and keep track of their data during the
transition. Without any admission of a HIPAA/HITECH violation,
BCBSTN agreed to pay a $1.5m as a part of the settlement – the
maximum amount payable in civil penalties for each disclosure under
the HITECH Act.

Would
the result have been different if BCBSTN had secured the vacated
office space where the hard drives were stored? What if they had
posted a security guard at the office entrance? These measures may
have saved BCBSTN from the $1.5m settlement with HHS, but if a
determined thief had overcome the security guard and stolen the hard
drives, it would not have saved them from the costs of investigation,
notification and remediation resulting from the breach. Those costs
are reported to be nearly $17 million, an amount that dwarfs the
$1.5million settlement.

…
This lesson was clearly illustrated in the recent report
from the American National Standards Institute – "The
Financial Impact of Breached Protected Health Information: A Business
Case for Enhanced PHI Security". [
http://webstore.ansi.org/phi/
Bob] The Report provides a tool that allows
organizations to estimate the overall potential costs of a data
breach and provides a methodology for determining an appropriate
level of investment to reduce the probability of a breach.

True
or not, a lot of people will “assume” it is true because of past
acts Murdoch has admitted to.

"Neil Chenoweth, of the
Australian Financial Review, reports that the BBC program Panorama
is making new allegations against News Corp of serious misconduct.
This time it involves the NDS division of News Corp, which makes
conditional access cards for pay TV. It seems
that NDS
also ran a sabotage operation, hiring pirates to crack
the cards of rival companies and posting the code on The
House of Ill Compute (thoic.com), a web site hosted by NDS. 'ITV
Digital collapsed in March 2002 with losses of more than £1 billion,
overwhelmed by mass piracy, as well as technical restrictions and
expensive sports contracts. Its collapse left Murdoch-controlled
BSkyB
the dominant pay TV provider in the UK.' Chenoweth reports that
James Murdoch has been an advocate for tougher penalties for pirates,
'These are property rights, these are basic property rights,' he
said. 'There is no difference from going into a store and stealing a
packet of Pringles or a handbag, and stealing something online.
Right?'"

"Following up on an earlier
Slashdot story, earlier today, the U.S. House of Representatives
Committee on Oversight and Government Reform and the Committee on
Transportation and Infrastructure held a hearing titled 'TSA
Oversight Part III: Effective Security or Security Theater?' ...
In a blog
update, Bruce Schneier says that 'at the request of the TSA' he
was removed
from the witness list. Bruce also said 'it's pretty clear that
the TSA is afraid of public testimony on the topic, and especially of
being challenged in front of Congress. They want to control the
story, and it's easier for them to do that if I'm not sitting next to
them pointing out all the holes in their position. Unfortunately,
the committee went along with them.'"

“The right to be forgotten”
extended to “the right to keep you from knowing?”

… Well, now. The principal of
Garrett High School told INC that regardless of whether it was sent
from home--or, indeed, whether a school computer was used--the school
may track students' tweets.

… Fort
Wayne's Journal Gazette does report that Carroll is something of
an eccentric. He fought to be allowed to wear a kilt on Irish
holidays. He had also been warned before about sending ribald tweets
using school-issued computers.

This time, though, there seems ample
evidence that he tweeted at 2:30 a.m. Still, the
school reportedly maintained that the tweets were adorned with its IP
address. [Given the facts, that is impossible. Bob]

… The school appears no longer to
be speaking publicly, on the advice of its attorney. Meanwhile, some
of the students threatened a protest on Friday, so much so that
police were called.

It may well be that Carroll's tweet
didn't represent the highest type of wit. Some might conclude,
though, that the principal of Garrett High School is a very
particular type of wit indeed.

Today the FTC is
releasing a major report
on privacy. Privacy geeks will read the whole thing–and
should, because it represents a lot of careful thinking by folks in
the agency.

But if you’re a
techie who doesn’t have time to read it all, let me point you to a
few of the parts you’ll probably find most interesting.

When you’re
reading, keep in mind that the report does not by itself establish
any new laws or regulations. It summarizes current law and asks
Congress to consider new laws in certain areas, but most of the
discussion is about best practices that the FTC thinks
well-intentioned companies will want to follow. These best practices
are organized in a three-part framework: privacy
by design, which means building privacy into your
products and practices from the beginning; simplified
choicefor consumers; and greater
transparencyabout data
practices.

Major advertisers
and corporations have been quietly tracking the online movements of
those visiting “Occupy Wall Street” related sites for months.
They have have used this data to create detailed portraits of the
lives and interests of potential protestors. This data is then sold
in unregulated markets and retained indefinitely in databases that
may be subject to secret government subpoena. The most shocking
thing about this is who is ultimately responsible: the
self-proclaimed revolutionaries who run the sites.

However, this is
not an act of malice: most likely website operators
have no idea they are allowing their visitors to be tagged and
tracked. [Except those created and run by law enforce,ent Bob]

"In a recent story that is
beating around the nets, Kim Doctcom has fired back at studios with
emails that make for some interesting reading: 'A Disney executive
e-mailed Megaupload in 2008. He said he was interested
in having Megaupload host Disney content, but said he would need
Megaupload to tweak its terms of service to make it clear Disney
retained ownership of files uploaded to the site. He sent Megaupload
a proposed alternative to the standard Megaupload TOS. Fox emailed
"Please let me know if you have some time to chat this week
about how we can work together to better monetize your inventory,"
in an attempt to promote their newly launched ad network. And
finally, this gem: a Warner Brothers executive e-mailed Megaupload
seeking to expedite the process of uploading Warner content to
Megaupload. "I would like to know if your site can take a Media
RSS feed for our syndications," he wrote. "We would
like to upload our content all at once instead of one video at a
time."' Pot calling the kettle black anyone?"

Does
this come as a surprise to anyone (aside from a few very out of touch
academics at Oxford?) Why would anyone assume that the availability
of knowledge automatically results in free academic journal articles
generated by the self-educated?

… the Anglophone world dominates
with the United States doing the lion's share of academic and
user-generated publishing.

Those are the messages of the Oxford
Internet Institute's new e-book, Geographies
of the World's Knowledge, [Free for the iPad
Bob] from which these two graphics were drawn. In the
book's foreword, Corinne Flick of the Convoco Foundation reluctantly
concludes that the Internet has not delivered on the hopes that it
would make knowledge "more accessible."

… We're not only talking about
publishing in academic journals or Wikipedia. The book's authors
sampled user-generated content on Google and found that
rich countries, especially the United States, dominate the production
of user content.

The fact of the matter is that people
without money can't afford to get the education necessary to publish
in academic journals, Internet-enabled or not. The other
fact of the matter is that the vast majority of people in very poor
countries don't spend their time producing content for free. Hope
as we might, [Hope is not a plan. What have you done. Bob]
the Internet isn't a magic wand that makes the world more equal.

For
my Data Mining / Data Analytics students: See, I told ya! (Also
note that the “don't know what to do with it” can apply to
governments.)

Study:
Enterprises Want More Marketing Data, But They Don’t Know What To
Do With It

Online marketers and advertising are
getting access to more and more data, but that’s not enough,
according to the 2012 Digital Marketing 2.0 Study commissioned by ad
company DataXu.

More than 350 “enterprise decision
makers” in management, marketing, communications, digital, IT and
social media were surveyed, and 75 percent of them said that data
will help them improve their businesses. However, 58 percent said
they didn’t have the skills and technology needed to analyze
marketing data, while more than 70 percent said the same about
customer data.

If you are looking to get into
web-based programming, or you are already knowledgeable and are
looking for a way to experiment with some code without downloading a
compiler, than Codecademy is the website for you. They allow you
write and test code in three of the most popular web-based languages;
Java, Ruby and Python.

For the new coder, they
offer classes. They start with the basics and move up to
more advanced stuff. If you have been looking for a way to break
into writing code this website is great. It starts slowly and
doesn’t push you into the advanced stuff too quickly.

If you need an all-in-one
search portal for downloads, you should check out Foofind. This
search engine lets you find audio, video, documents, and images
through direct downloads, torrents, gnutella, and streams.

… SurDoc is a web service that
offers people a free backup option for their digital documents. You
start by creating an account on the site and then downloading its
desktop client for Windows. Through the desktop client you can
figure out the document syncing options and set up automatic
synchronization. Your documents are uploaded to your account and can
be read anywhere you have access to your SurDoc account in the site’s
own reading interface. The ability to create folders and sort
documents into them helps you keep things organized.

The
service offers 10GB of free storage to its users and accepts all
document file formats.

Links

About Me

I live in Centennial Colorado. (I'm not actually 100 years old., but I hope to be some day.) I'm an independant computer consultant, specializing in solving problems that traditional IT personnel tend to have difficulty with... That includes everything from inventorying hardware & software, to converting systems & data, to training end-users. I particularly enjoy taking on projects that IT has attempted several times before with no success. I also teach at two local Universities: everything from Introduction to Microcomputers through Business Continuity and Security Management. My background includes IT Audit, Computer Security, and a variety of unique IT projects.